cannot list/access samba share from Windows client

Hi,
I have a problem to list/access share from Windows client to share hosted on samba domain member server.
I followed the instruction from
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
step by step but I used sssd instead of winbind for the authentication method.
The Linux samba server is an Ubuntu server 16.04 and I successfully added this samba server to a awindows active directory domain (Windows server 2012 R2).
I login to the domain server machine as a domain admins user but II’m not able to list/access to the share when I digit in Windows Explorer \\servername I have the access denied with the request to insert the credential of a user enabled to it. Only the user mapped in  /etc/samba/user.map can manage the server via the ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain admin Group

 root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
  COM_SPOLETO\Domain Admins
  BUILTIN\Administrators

Is there anyone can help me?

Below my configuration files.
----------------------------------------------------------------------
My /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = standalone server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        username map = /etc/samba/user.map
        unix password sync = Yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config comune.spoleto.local : range = 10000-29999
        idmap config comune.spoleto.local : backend = rig
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
-----------------------------------------------------------------------------
My /etc/samba/user.map
!root = COM_SPOLETO\Adminserver
----------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss winbind
group:          compat sss winbind
shadow:         compat sss
gshadow:        files

hosts:          files dns winbind
networks:       files

protocols:      db files
services:       db files sss winbind
ethers:         db files
rpc:            db files

netgroup:       nis sss winbind
sudoers:        files sss winbind
---------------------------------------------------------------------------------------------------------------------
My /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = COMUNE.SPOLETO.LOCAL

[domain/COMUNE.SPOLETO.LOCAL]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = SRVLNXINTRA01.comune.spoleto.local

# Uncomment if DNS SRV resolution is not working
# ad_server = SRVW3KDC01.comune.spoleto.local

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = COMUNE.SPOLETO.LOCAL

# Enumeration is discouraged for performance reasons.
# enumerate = true
-------------------------------------------------------------------------------------------
My /etc/krb5.conf
[libdefaults]
        default_realm = COMUNE.SPOLETO.LOCAL
        ticket_lifetime = 24h #
        renew_lifetime = 7d

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        COMUNE.SPOLETO.LOCAL = {
        kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        default_domain = COMUNE.SPOLETO.LOCAL
        }

[domain_realm]
        .comune.spoleto.local = COMUNE.SPOLETO.LOCAL
        comune.spoleto.local = COMUNE.SPOLETO.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false
-------------------------------------------------------------------------------------------

Inviato da Posta per Windows 10

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Please see inline comments:

On Mon, 8 Jan 2018 14:41:01 +0100
Andrea Rossetti via samba <[hidden email]> wrote:

> Hi,
> I have a problem to list/access share from Windows client to share
> hosted on samba domain member server. I followed the instruction from
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> step by step but I used sssd instead of winbind for the
> authentication method.

Then you didn't follow the wiki page.

The only mapping in the user.map should be Administrator to root.

'server role' is wrong, it is a Unix domain member

>         map to guest = Bad User

>         obey pam restrictions = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

I would remove the above 4 lines, you do not need them in a Unix domain
member smb.conf

> username map = /etc/samba/user.map
 
>unix password sync = Yes

You definitely do not want the above line in a Unix domain member
smb.conf, all your domain members should be in AD.

>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client signing = if_required
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         winbind refresh tickets = Yes

>         idmap config comune.spoleto.local : range = 10000-29999
>         idmap config comune.spoleto.local : backend = rig
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb

As you are using sssd, you don't need the lines above, also it is 'rid'
not 'rig'


> -----------------------------------------------------------------------------
> My /etc/samba/user.map
> !root = COM_SPOLETO\Adminserver

It is Administrator not Adminserver

You either use 'sss' or 'winbind', not both

> shadow:         compat sss

You shouldn't add anything to the shadow line.

> gshadow:        files
>
> hosts:          files dns winbind

You do not use winbind for hosts

> networks:       files
>
> protocols:      db files
> services:       db files sss winbind

Same goes for services

> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss winbind
> sudoers:        files sss winbind

Same goes for netgroup and sudoers

> ---------------------------------------------------------------------------------------------------------------------
> My /etc/sssd/sssd.conf
> [sssd]

Pointless telling us what your sssd.conf is, it isn't anything to do
with Samba

> -------------------------------------------------------------------------------------------
> My /etc/krb5.conf
> [libdefaults]
>         default_realm = COMUNE.SPOLETO.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>

This is all you need in krb5.conf.

I would make the alterations I have suggested, then choose whether to
use 'sssd' or 'winbind', you cannot use both.
If you decide to continue to use 'sssd' and you still have problems,
you need to ask on the 'sssd-users' mailing list.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thanks for the rapid reply!

I think the problem was in the server role options I’ve modified it in  “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member.
But now
1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares”  right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs.

Please see MY inline comments, and at the end of this message I pasted my modified config files:

Inviato da Posta per Windows 10

Da: Rowland Penny
Inviato: lunedì 8 gennaio 2018 15:15
A: [hidden email]
Cc: Andrea Rossetti
Oggetto: Re: [Samba] cannot list/access samba share from Windows client



>The only mapping in the user.map should be Administrator to root.

I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator
For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below)

>>  root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
>> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>>   COM_SPOLETO\Domain Admins
>>   BUILTIN\Administrators

>> -----------------------------------------------------------------------------
>> My /etc/samba/user.map
>> !root = COM_SPOLETO\Adminserver

>It is Administrator not Adminserver

As just explained the adminserver is for us the enterprise domain admin.

----------------------------------------------
My modified /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
-------------------------------------------------------------------------------

My modified /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss
--------------------------------------------------------------------------------

My modified /etc/krb5.conf

[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 8 Jan 2018 18:27:44 +0100
Andrea Rossetti <[hidden email]> wrote:


You are now solely using sssd for the authentication, you need to ask
on the sssd-users mailing list, either that or purge sssd and set up
winbind correctly.

I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
help any further.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Inviato da Posta per Windows 10

>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 18:48
>A: [hidden email]
>Oggetto: Re: [Samba] R: cannot list/access samba share from Windows client
>
>You are now solely using sssd for the authentication, you need to ask
>on the sssd-users mailing list, either that or purge sssd and set up
>winbind correctly.

>I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
>help any further.
>
>Rowland

Ok I try to purge sssd and configure winbind.

apt-get remove --purge sssd && apt-get autoremove --purge

I successfull removed and re-joined the Linux domain member

root@SRVLNXWINTRA01:/home/data# net ads leave -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Deleted account for 'SRVLNXWINTRA01' in realm 'COMUNE.SPOLETO.LOCAL'
root@SRVLNXWINTRA01:/home/data# net ads join -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Using short domain name -- COM_SPOLETO
Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local'

I modified the config files (see below)
And restarted the services

systemctl restart smbd nmbd winbind

I verified that the SeDiskOperatorPrivilege was set up correctly to “domain admins” Group

root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
  COM_SPOLETO\Domain Admins
  BUILTIN\Administrators

I verified the connectiviti with the domain

root@SRVLNXWINTRA01:/home/data# wbinfo --ping-dc
checking the NETLOGON for domain[COM_SPOLETO] dc connection to "SRVW3KDC01.comune.spoleto.local" succeeded

but now when I Look up Domain Users and Groups

root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti
root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins"

I have no response and so I’m unable to assign the permission attribute to the share

root@SRVLNXWINTRA01:/home/data# LANG=en_EN chown root:"com_spoleto\domain admins" share
chown: invalid group: 'root:com_spoleto\\domain admins'

I’m very confused now!

--------------------------------------------------------------------------------
now my /etc/samba/smb.conf is

# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config com_spoleto : range = 10000-29999
        idmap config com_spoleto : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
----------------------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files
-------------------------------------------------------------------------------------

My /etc/krb5.conf
[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 8 Jan 2018 19:57:59 +0100
Andrea Rossetti <[hidden email]> wrote:

OK, If I run this on a Unix domain member:

getent passwd samdom\rowland

I get no output, but this:

getent passwd samdom\\rowland

gets me this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I use the winbind 'ad' backend and 'Domain Admins' does not have a
gidNumber attribute, but 'Domain Users' does.

getent group "samdom\\domain users"

gets me this:

domain users:x:10000:<list of group members>

Try running 'net cache flush' and then try again.

Rowland






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Ok.
I’ve done
root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf

modified
idmap config COM_SPOLETO : backend = rid
to
idmap config COM_SPOLETO : backend = ad

root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind
root@SRVLNXWINTRA01:/home/data# net cache flush
root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti
root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins"

nothing is changed!

More and more confused now! ☹

Inviato da Posta per Windows 10

Da: Rowland Penny via samba
Inviato: lunedì 8 gennaio 2018 20:31
A: [hidden email]
Oggetto: Re: [Samba] R: R: cannot list/access samba share from Windows client

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 8 Jan 2018 20:40:36 +0100
Andrea Rossetti <[hidden email]> wrote:

> Ok.
> I’ve done
> root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf
>
> modified
> idmap config COM_SPOLETO : backend = rid
> to
> idmap config COM_SPOLETO : backend = ad

Unless you now want to start adding uidNumber attributes to your users
and gidNumber attributes to your groups, change it back. The 'rid'
backend calculates the users & groups IDs from the AD objects RID.

I do not use the 'rid' backend, I just tried to show you that it should
work.

Change it back then run 'net cache flush' again.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I’ve re-changed

root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf

idmap config COM_SPOLETO : backend = ad
to
idmap config COM_SPOLETO : backend = rid

root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind
root@SRVLNXWINTRA01:/home/data# net cache flush
root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind
root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins"
root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti

Nothing changed!!! ☹ ☹

Inviato da Posta per Windows 10

Da: Andrea Rossetti
Inviato: lunedì 8 gennaio 2018 20:40
A: Rowland Penny; [hidden email]
Oggetto: R: [Samba] R: R: cannot list/access samba share from Windows client
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 8 Jan 2018 20:55:22 +0100
Andrea Rossetti <[hidden email]> wrote:

I changed the 'idmap config' block on my computer to this:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

Restarted smbd, nmbd and winbind, then:

root@devstation:~# net cache flush
root@devstation:~# getent passwd samdom\\rowland
rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash

root@devstation:~# getent group "samdom\\domain admins"
domain admins:x:10512:administrator,swanadmin,rowland

As you can see, it works ;-)

If it isn't working for you, you must have something misconfigured or
something missing, What do you have in /etc/hostname, /etc/hosts
and /etc/resolv.conf ?
What packages did you install with the Samba packages ? (note: not the
base OS packages, the packages installed when you installed Samba)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 21:42
>A: [hidden email]
>Oggetto: Re: [Samba] R: R: R: cannot list/access samba share from Windowsclient

I’ve done exactly as you (view /etc/samba/smb.conf below) but nothing changed!

>If it isn't working for you, you must have something misconfigured or
>something missing, What do you have in /etc/hostname, /etc/hosts
>and /etc/resolv.conf ?

root@SRVLNXWINTRA01:~# cat /etc/hostname
SRVLNXWINTRA01

root@SRVLNXWINTRA01:~# cat /etc/hosts
127.0.0.1       localhost
192.168.23.244  SRVLNXWINTRA01.comune.spoleto.local     SRVLNXWINTRA01

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root@SRVLNXWINTRA01:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
search comune.spoleto.local
search comune.spoleto.local
nameserver 192.168.23.11
nameserver 192.168.23.12

>What packages did you install with the Samba packages ? (note: not the
>base OS packages, the packages installed when you installed Samba)

I used apt-get install samba

root@SRVLNXWINTRA01:~# dpkg -l | grep samba
ii  python-samba                          2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        Python bindings for Samba
ii  samba                                 2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.3.11+dfsg-0ubuntu0.16.04.12            all          common files used by both the Samba server and client
ii  samba-common-bin                      2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules                    2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        Samba core libraries
ii  samba-vfs-modules                     2:4.3.11+dfsg-0ubuntu0.16.04.12            amd64        Samba Virtual FileSystem plugins


--------------------------------------------------------------
My /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config com_spoleto : range = 10000-999999
        idmap config com_spoleto : backend = rid
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 8 Jan 2018 22:38:15 +0100
Andrea Rossetti <[hidden email]> wrote:

I think I understand it now ;-)

The debian Samba package used to install winbind as a dependency, it
doesn't now, try running this (as root):

apt-get install winbind libnss-winbind libpam-winbind

The last two packages are the 'glue' between winbind and nsswitch

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Inviato da Posta per Windows 10

Da: Rowland Penny via samba
Inviato: lunedì 8 gennaio 2018 22:52
A: [hidden email]
Oggetto: Re: [Samba] R: R: R: R: cannot list/access samba share fromWindowsclient

>I think I understand it now ;-)
>
>The debian Samba package used to install winbind as a dependency, it
>doesn't now, try running this (as root):
>
>apt-get install winbind libnss-winbind libpam-winbind
>
>The last two packages are the 'glue' between winbind and nsswitch

Ok now I can Look up Domain Users and Groups

root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti
COM_SPOLETO\andrea.rossetti:*:11212:10513:Andrea Rossetti:/home/COM_SPOLETO/andrea.rossetti:/bin/false
root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins"
COM_SPOLETO\domain admins:x:10512:

I can set permission tu shared folder

root@SRVLNXWINTRA01:/home/data# chown root:"com_spoleto\domain admins" share
root@SRVLNXWINTRA01:/home/data# chmod 2770 share/
root@SRVLNXWINTRA01:/home/data# ls -la
totale 20
drwxrws---  2 root     COM_SPOLETO\domain admins 4096 gen  8 19:39 share

But I have the same problem that I have before when I had sssd instead of winbind
1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares”  right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs.
4. Even if I change the permission, using adminserver, adding domainadmins full control this folder subfolder and files and adding domain users read and execute this folder subfolder and files, neither a simple user nor a domain admin users can list the shares in \\servermember
Please help me thanks!
I’ve more and more and more confused. ☹


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I tried again, this morning, only point 4 and now I can do things that last night did not make me do without change any configuration. That night brings advice? 😊 😊 😊 Seriously… now both the “domain users” and “domain admins” can list share on \\linuxservermember the “domain admins” full control and the “domain users” read only.
Do the ACLs configurations take time to be transposed by samba when done from a vindows client via “computer management” snap-in??
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 9 Jan 2018 09:58:44 +0100
Andrea Rossetti <[hidden email]> wrote:

We have a wiki page for this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba